Bump Netty to 4.1.132.Final to fix CVE-2026-33870 and CVE-2026-33871 (#1347)

## Description
Bumps `io.netty:netty-bom` from `4.1.130.Final` to `4.1.132.Final` to
address two High severity CVEs:

| CVE | Package | Severity | Description |
|-----|---------|----------|-------------|
| CVE-2026-33870 | `io.netty:netty-codec-http` | High (CVSS 7.5) |
HTTP/1.1 Request Smuggling |
| CVE-2026-33871 | `io.netty:netty-codec-http2` | High (CVSS 8.7) |
HTTP/2 CONTINUATION frame flood DoS |

Both CVEs were patched in [Netty
4.1.132.Final](https://netty.io/news/2026/03/24/4-1-132-Final.html)
(released March 24, 2026).

Fixes #1346

Author: srprash

CHANGELOG.md

@@ -17,6 +17,8 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
   ([#1342](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1342))
 - End support for ADOT Java 1.x: remove v1 image scans and update README#1339
   ([#1339](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1339))
+- Bump Netty to 4.1.132.Final to fix CVE-2026-33870 and CVE-2026-33871
+  ([#1347](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1347))
 
 ## v2.25.1 - 2026-03-11
 

dependencyManagement/build.gradle.kts

@@ -40,10 +40,10 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  // netty-bom is a fix for CVE-2025-67735 (https://github.com/advisories/GHSA-84h7-rjj3-6jx4).
+  // netty-bom pins to fix CVE-2026-33870 and CVE-2026-33871.
   // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6635 is released and
   // AWS SDK for Java (v1) is upgraded to 1.12.796 at least.
-  "io.netty:netty-bom:4.1.130.Final",
+  "io.netty:netty-bom:4.1.132.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",